This content has been marked as final. Show 2 replies
I'm not sure but can you take a look at how the messages are rendered in the taskflow.1 person found this helpful
when they are rendered by an outputText, normally you can escape these things by setting escape="true" which is the default. THis means that if there is no explicit escape attriubte, it should escape by default and the issue should be found somewhere else.
I would also recommend opening a SR because this needs to be fixed!
Entered customization role, set escape to "true", it solves the problem, now injected script content is being displayed as text, but it is certainly better than script injection
I wonder why Oracle had set it explicitly to escape="false" in this taskflow.